Improve security documentation around templates

Based on [CVE-2021-32822](https://nvd.nist.gov/vuln/detail/CVE-2021-32822) and [GHSL-2021-020: File disclosure in hbs - CVE-2021-32822](https://securitylab.github.com/advisories/GHSL-2021-020-pillarjs-hbs/) we might want to include recommendations for safe templating in https://expressjs.com/en/advanced/best-practice-security.html.

> Passing template engine configuration parameters through the Express render API can lead to vulnerabilities if the object is user controlled. Downstream applications often opt to pass their template data in directly through the remote user-controlled req.query object. This results in a scenario where a remote attacker may be able to subvert the vulnerable application through malicious template engine configuration options.

> The security impact is specific to the engine used by the application but ranges from XSS to RCE.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Improve security documentation around templates #37

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

Improve security documentation around templates #37

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions